API Aggregator #4173
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| --- | ||
| title: Extending the Kubernetes API with the aggregation layer | ||
| assignees: | ||
| - lavalamp | ||
| - cheftako | ||
| - chenopis | ||
| --- | ||
|
|
||
| {% capture overview %} | ||
|
|
||
| The aggregation layer allows Kubernetes to be extended with additional APIs, beyond what is offered by the core Kubernetes APIs. | ||
|
|
||
| {% endcapture %} | ||
|
|
||
| {% capture body %} | ||
|
|
||
| ## Overview | ||
|
|
||
| The aggregation layer enables installing additional Kubernetes-style APIs in your cluster. These can either be pre-built, existing 3rd party solutions, such as [service-catalog](https://github.com/kubernetes-incubator/service-catalog/blob/master/README.md), or user-created APIs like [apiserver-builder](https://github.com/kubernetes-incubator/apiserver-builder/blob/master/README.md), which can get you started. | ||
|
|
||
| In 1.7 the aggregation layer runs in-process with the kube-apiserver. Until an extension resource is registered, the aggregation layer will do nothing. To register their API, users must add an APIService object, which "claims" the URL path in the Kubernetes API. At that point, the aggregation layer will proxy anything sent to that API path (e.g. /apis/myextension.mycompany.io/v1/…) to the registered APIService. | ||
|
|
||
| Ordinarily, the APIService will be implemented by an *extension-apiserver* in a pod running in the cluster. This extension-apiserver will normally need to be paired with one or more controllers if active management of the added resources is needed. As a result, the apiserver-builder will actually provide a skeleton for both. For example, when the service-catalog is installed, it provides both the extension-apiserver and controller for the services it provides. | ||
|
|
||
| {% endcapture %} | ||
|
|
||
| {% capture whatsnext %} | ||
|
|
||
| * To get the aggregator working in your environment, [configure the aggregation layer](/docs/tasks/access-kubernetes-api/configure-aggregation-layer/). | ||
| * Then, [setup an extension api-server](/docs/tasks/access-kubernetes-api/setup-extension-api-server/) to work with the aggregation layer. | ||
| * Also, learn how to [extend the Kubernetes API using Custom Resource Definitions](/docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/). | ||
|
|
||
| {% endcapture %} | ||
|
|
||
| {% include templates/concept.md %} | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| --- | ||
| title: Configure the aggregation layer | ||
| assignees: | ||
| - lavalamp | ||
| - cheftako | ||
| - chenopis | ||
| --- | ||
|
|
||
| {% capture overview %} | ||
|
|
||
| Configuring the [aggregation layer](/docs/concepts/api-extension/apiserver-aggregation/) allows the Kubernetes apiserver to be extended with additional APIs, which are not part of the core Kubernetes APIs. | ||
|
|
||
| {% endcapture %} | ||
|
|
||
| {% capture prerequisites %} | ||
|
|
||
| {% include task-tutorial-prereqs.md %} | ||
|
|
||
| **Note:** There are a few setup requirements for getting the aggregation layer working in your environment to support mutual TLS auth between the proxy and extension apiservers. Kubernetes and the kube-apiserver have multiple CAs, so make sure that the proxy is signed by the aggregation layer CA and not by something else, like the master CA. | ||
|
|
||
| {% endcapture %} | ||
|
|
||
| {% capture steps %} | ||
|
|
||
| ## Enable apiserver flags | ||
|
|
||
| Enable the aggregation layer via the following apiserver flags. They may have already been taken care of by your provider. | ||
|
There was a problem hiding this comment. Clarification: Are these flags meant to be applied when I run I'm pretty sure this is the case but I could be wrong. Either way, could we clarify that "apiserver" means There was a problem hiding this comment. Thanks for the clarification. |
||
|
|
||
| --requestheader-client-ca-file=<path to aggregator CA cert> | ||
| --requestheader-allowed-names=aggregator | ||
| --requestheader-extra-headers-prefix=X-Remote-Extra- | ||
| --requestheader-group-headers=X-Remote-Group | ||
| --requestheader-username-headers=X-Remote-User | ||
| --proxy-client-cert-file=<path to aggregator proxy cert> | ||
| --proxy-client-key-file=<path to aggregator proxy key> | ||
|
|
||
| The [Kubernetes Architectural Roadmap](https://docs.google.com/a/google.com/document/d/1XkjVm4bOeiVkj-Xt1LgoGiqWsBfNozJ51dyI-ljzt1o/edit?usp=sharing) recommends not running kube-proxy on the master. If you follow this recommendation, then you must make sure that the system is enabled with the following apiserver flag. Again, this may have already been taken care of by your provider. | ||
|
|
||
| --enable-aggregator-routing=true | ||
|
|
||
| {% endcapture %} | ||
|
|
||
| {% capture whatsnext %} | ||
|
|
||
| * [Setup an extension api-server](/docs/tasks/access-kubernetes-api/setup-extension-api-server/) to work with the aggregation layer. | ||
| * For a high level overview, see [Extending the Kubernetes API with the aggregation layer](/docs/concepts/api-extension/apiserver-aggregation/). | ||
| * Learn how to [Extend the Kubernetes API Using Custom Resource Definitions](/docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/). | ||
|
|
||
| {% endcapture %} | ||
|
|
||
| {% include templates/task.md %} | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| --- | ||
| title: Setup an extension API server | ||
| assignees: | ||
| - lavalamp | ||
| - cheftako | ||
| - chenopis | ||
| --- | ||
|
|
||
| {% capture overview %} | ||
|
|
||
| Setting up an extension API server to work the aggregation layer allows the Kubernetes apiserver to be extended with additional APIs, which are not part of the core Kubernetes APIs. | ||
|
|
||
| {% endcapture %} | ||
|
|
||
| {% capture prerequisites %} | ||
|
|
||
| * You need to have a Kubernetes cluster running. | ||
| * You must [configure the aggregation layer](/docs/tasks/access-kubernetes-api/configure-aggregation-layer/) and enable the apiserver flags. | ||
|
|
||
| {% endcapture %} | ||
|
|
||
| {% capture steps %} | ||
|
|
||
| ## Setup an extension api-server to work with the aggregation layer | ||
|
|
||
| The following steps describe how to set up an extension-apiserver *at a high level*. For a concrete example of how they can be implemented, you can look at the [sample-apiserver](https://github.com/kubernetes/sample-apiserver/blob/master/README.md) in the Kubernetes repo. | ||
|
|
||
| Alternatively, you can use an existing 3rd party solution, such as [apiserver-builder](https://github.com/Kubernetes-incubator/apiserver-builder/blob/master/README.md), which should generate a skeleton and automate all of the following steps for you. | ||
|
|
||
| 1. Make sure the APIService API is enabled (check `--runtime-config`). It should be on by default, unless it's been deliberately turned off in your cluster. | ||
| 1. You may need to make an RBAC rule allowing you to add APIService objects, or get your cluster administrator to make one. (Since API extensions affect the entire cluster, it is not recommended to do testing/development/debug of an API extension in a live cluster.) | ||
| 1. Create the Kubernetes namespace you want to run your extension api-service in. | ||
| 1. Create/get a CA cert to be used to sign the server cert the extension api-server uses for HTTPS. | ||
| 1. Create a server cert/key for the api-server to use for HTTPS. This cert should be signed by the above CA. It should also have a CN of the Kube DNS name. This is derived from the Kubernetes service and be of the form <service name>.<service name namespace>.svc | ||
| 1. Create a Kubernetes secret with the server cert/key in your namespace. | ||
| 1. Create a Kubernetes deployment for the extension api-server and make sure you are loading the secret as a volume. It should contain a reference to a working image of your extension api-server. The deployment should also be in your namespace. | ||
| 1. Make sure that your extension-apiserver loads those certs from that volume and that they are used in the HTTPS handshake. | ||
| 1. Create a Kubernetes service account in your namespace. | ||
| 1. Create a Kubernetes cluster role for the operations you want to allow on your resources. | ||
| 1. Create a Kubernetes cluster role binding from the default service account in your namespace to the cluster role you just created. | ||
| 1. Create a Kubernetes apiservice. The CA cert above should be base 64 encoded, stripped of new lines and used as the spec.caBundle in the apiservce. This should not be namespaced. | ||
| 1. Use kubectl to get your resource. It should return "No resources found." Which means that everything worked but you currently have no objects of that resource type created yet. | ||
|
|
||
| {% endcapture %} | ||
|
|
||
| {% capture whatsnext %} | ||
|
|
||
| * If you haven't already, [configure the aggregation layer](/docs/tasks/access-kubernetes-api/configure-aggregation-layer/) and enable the apiserver flags. | ||
| * For a high level overview, see [Extending the Kubernetes API with the aggregation layer](/docs/concepts/api-extension/apiserver-aggregation/). | ||
| * Learn how to [Extend the Kubernetes API Using Custom Resource Definitions](/docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/). | ||
|
|
||
| {% endcapture %} | ||
|
|
||
| {% include templates/task.md %} | ||
|
|
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As another example, when the service catalog
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
got it